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Abstract:  In  this  paper,  we  apply  Propositional  Temporal  Logic  (PTL)  to  the  specification  and 
synthesis  of  the  synchronization  part  of  communicating  processes.  To  specify  a  process,  we  give  a 
PTL  formula  that  describes  its  sequence  of  communications.  The  synthesis  is  done  by  constructing 
a  model  of  the  given  specifications  using  a  tableau-like  satisfiability  algorithm  for  PTL.  This  model 
can  then  be  interpreted  as  a  program.  ^ 


1.  Introduction 


Most  concurrent  programs  can  easily  be  separated  into  two  parts:  a  synchronization  part  that 
enforces  the  necessary  constraints  on  the  relative  timing  of  the  execution  of  the  different  processes 
and  a  functional  part  that  actually  manipulates  the  data  and  performs  the  computation  required 
of  the  program.  For  example,  the  part  of  a  concurrent  program  that  ensures  mutual  exclusion 
between  sections  of  code  is  in  the  “synchronization  part”  of  that  program  whereas  the  code  that 
is  made  mutually  exclusive  is  in  the  “functional  part”. 

The  synchronization  part  of  a  concurrent  program  is  rarely  deep,  but  it  is  nevertheless 
frequently  complicated.  That  is,  writing  it  requires  a  lot  of  attention  to  intricate  details  but 
does  not  require  insight  into  a  variety  of  underlying  mathematical  theories.  These  characteristics 
make  the  development  of  tools  for  specifying  and  automatically  synthesizing  synchronization  code 
a  highly  desirable  and  yet  manageable  task. 

In  this  paper,  we  propose  to  use  Propositional  Temporal  Logic  (PTL)  as  a  specification  language 
for  the  synchronization  part  of  OSP-likc  programs  and  we  present  a  corresponding  synthesis 
algorithm  based  on  the  decision  procedure  for  PTL. 

This  research  was  supported  in  part  by  the  National  Science  Foundation  under  grant  MCS80-069S0, 
by  the  Office  of  Naval  Research  under  Contract  N000H-76-C-0687,  by  the  United  States  Air  Force 
Office  of  Scientific  Research  under  Grant  AFSOR-8I-OOI4  and  by  an  IBM  Predoctoral  Fellowship. 

This  report  appears  in  Proceedings  of  the  Workshop  on  Logics  of  Programs,  York  town- Heights, 
NY,  Springer- Verlag  Lecture  Notes  in  Computer  Science,  1981 
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CSP,  the  language  of  Communicating  Sequential  Processes,  was  developed  by  Hoare  [Ifo78j  as 
a  tool  for  describing  distributed  processes.  It  views  distributed  processes  as  interacting  exclusively 
through  well  defined  inter-process  input/output  (I/O)  operations.  This  makes  it  quite  easy  to 
separate  the  “synchronization  part”  of  a  CSP  program  from  its  “functional  part”.  Indeed,  the 
“synchronization  part”  can  be  viewed  as  the  program  abstracted  to  its  I/O  operations.  To  describe 
the  synchronization  part  of  a  CSP  program  it  is  then  usually  sufficient  to  give  the  temporal  relations 
that  have  to  exist  between  the  execution  of  specific  I/O  operations. 

Propositional  Temporal  Logic  ((Pr67j,  [IIU71])  is  especially  well  suited  for  this  task.  Indeed, 
it  is  an  extension  of  classical  propositional  logic  geared  towards  the  description  of  sequences. 
Moreover,  PTL  is  decidable  and  has  the  finite  model  property.  That  is,  given  a  PTL  formula 
it  is  decidable  if  that  formula  is  satisfiable,  and  if  it  is  satisfiable,  it  has  a  finite  model.  This  will  be 
the  basis  of  our  synthesis  method.  Indeed,  given  specifications  in  PTL,  we  will  use  a  tableau-like 
method  ([Sm68j,  [MMP8I])  to  test  for  satisfiability  and  construct  a  model  of  the  specifying  formula. 
We  then  extract  from  that  model  the  synchronization  part  of  a  CSP-liko  program. 


2.  The  CSP  Framework 

The  framework  in  which  we  specify  and  synthesize  synchronization  problems  is  that  of  Moare’s 
language  of  Communicating  Sequential  Processes  (CSP)  [Ho78].  A  program  in  that  language  is  a 
collection  of  (possibly  nondctcrministic)  sequential  processes  each  of  which  can  include  inter-process 
I/O  operations.  These  I/O  operations  are  the  only  interaction  between  the  processes.  Syntactically, 
an  inter-process  I/O  operation  names  the  source  (input)  or  destination  (output)  process  and  gives 
the  information  to  be  transmitted.  In  Iloare’s  notation,  the  operation  “output  s  to  process  P"  is 
written 

Pis 

and  the  operation  “input  s  from  process  P”  is 
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P?s 

Semantically,  when  a  process  reaches  an  input  (output)  operation,  it  waits  for  the  corresponding 
process  to  reach  the  matching  output  (input)  operation.  At  that  point,  the  operation  is  performed 
and  both  processes  resume  their  execution.  There  is  no  queuing  or  buffering  or  messages. 

We  will  use  CSP  with  the  following  modifications: 

a)  We  consider  systems  of  non-terminating  processes.  Terminating  processes  can  be  ac¬ 
comodated  if  they  arc  considered  to  end  with  a  dummy  I/O  operation  that  is  repeated 
forever. 

b)  As  we  are  interested  in  pure  synchronization  problems,  we  will  assimu  that  the  only 
information  exchanged  between  processes  is  a  finite  set  of  signals 
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c)  Wc  assume  that  when  several  1/0  operations  are  possible,  the  one  to  be  executed  is 
chosen  fairly.  More  specifically,  we  assume  that  if  an  I/O  operation  is  infinitely  often 
enabled  (both  sender  and  receiver  are  ready  to  perform  it)  it  will  eventually  be  executed. 

We  will  specify  systems  of  processes  where  one  process,  the  synchronizer  S,  communicates 
with  a  set  of  other  processes  l\,  l  <  t  <  n. 


Thus,  the  only  communications  taking  place  arc  between  the  synchronizer  S  and  each  of  the 
processes  f\. 

To  specify  the  synchronization  part  of  such  a  system,  we  will  look  at  the  infinite  sequence  of 
I/O  operations  executed  by  each  of  the  processes  (S  and  1\’ s)  that  we  assume  'o  be  non-terininating. 

Example :  Consider  the  following  system: 


where  S  receives  signals  «i  and  s2  from  /' i  and  signals  s3  and  from  1’2.  The  sequence  of  I/O 
operations  executed  by  S  will  be  some  interleaving  of  the  four  operations  l\?s j,  f\ ?s2l  IV»3, 
IVs 4.  For  instance  it  could  be 

l\?8X  IV  84  IV  8i  Pilsy  .  .  . 

Similarly,  the  sequence  of  I/O  operations  executed  by  P\  will  be  some  interleaving  of  S!*i,  -Sis j. 

I 

The  specifications  will,  for  each  process  independently,  characterize  those  sequences  of  I/O 
operations  that  are  acceptable.  The  synthesis  algorithm  will  then  generate  a  program  that  when 
executed  generates  a  sequence  of  I/O  operations  satisfying  the  specifications. 

3.  The  Specification  Language 

As  a  specification  language,  wc  use  Propositional  Temporal  Logic  (PTL).  Temporal  Logic 
was  initially  developed  as  a  branch  of  philosophical  logic  dealing  with  the  nature  of  time  and 
of  temporal  concepts  ([Prf>7],  (IUJ7I)).  Recently  it  has  been  adapted  to  the  task  of  reasoning 


3 


about  the  execution  sequences  of  programs  and  was  found  especially  useful  in  proving  properties 
of  concurrent  programs  (|Pn77j,  [MP81]).  Here,  wc  use  Temporal  Logic  in  a  similar  framework; 
the  specific  formal  PTL  system  we  use  is  a  variant  of  the  one  appearing  in  [GPSS80]. 

Intuitively,  PTL  is  a  logic  oriented  towards  reasoning  about  sequences.  It  is  a  classical 
propositional  logic  extended  with  four  temporal  operators:  O,  O,  □  and  U;  the  first  three  are 
unary,  the  last  binary.  For  a  sequence  and  a  given  state  in  that  sequence, 

O  /  is  true  iff  /  is  true  in  the  next  stale  in  the  sequence; 

□  /  is  true  iff  /  is  true  in  all  future  states  of  that  sequence; 

O  /  is  true  iff  /  is  true  in  some  future  state  (i.c.,  it  is  eventually  true);  and 

/ 1  U  J2  is  true  ill  / 1  is  true  for  all  states  until  the  first  state  where  {2  is  true. 

More  formally,  PTL  has  the  following  syntax  and  semantics: 

Syntax: 

PTL  formulas  are  built  from 

•  A  set  P  of  atomic  propositions:  p1(  P2,  P3,  ... 

•  Hoolean  connectives:  A  ,  . 

•  Temporal  operators:  O  (“next”),  □  (“always"),  O  (“eventually”), 

V  (“until”). 

The  formation  rules  arc: 

•  An  atomic  proposition  p  G  P  is  a  formula. 

•  If  f  \  and  /2  a™  formulas,  so  are 

h  A /a,  ,  O/,,  □/,,  Ofu  fxU  h. 

We  will  also  use  V  and  O  as  the  usual  abreviations. 

Semantics: 

A  structure  for  a  PTL  formula  (with  set  P  of  atomic  propositions)  is  a  triple  A  —  ( S ,  N,x) 
where 

•  S  is  an  enumerable  set  of  states. 

•  N:  {S  —*  S)  is  an  accessibility  function  that  for  each  state  gives  a  unique  next 
state. 

•  n:  (S  — ♦  2P)  assigns  truth  values  to  the  atomic  propositions  of  the  language  in 
each  state. 

For  a  structure  A  and  a  state  s  £  S  we  have 
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{A,  a)  ¥  p  iff  p€  tf(s) 

(A,a)¥fiAf2  iff  (A,s)¥  fi  and  (A,a)¥f 2 
(A,a)¥  ->/  iff  not  {>!,»)  N  / 

M,«)NO/  iff  (yl,JV(a))^/ 

In  the  following  definitions,  we  denote  by  ^V’(s)  the  ith  state  in  the  sequence 
«,  N(a),  N(N(s)),  N(N(N(s))),  ... 

of  successsors  of  a  state  s. 

(A,s)¥nf  iff  (Vt  >  0)((yl,  Af(s))  ¥  /) 

(A,s)¥Of  iff  (3t  >  Q)((A,  N'(a))  ¥  f) 

(A,  a)  ¥  fi  U  h  ifT  (Vt  >  0)((>l,  N\a))  ¥  /,)  or 
(3*  >  0)(M, /V‘(»))  N  h  A 

Vj(0  <j<i  3  {A,W(a))¥  /,)) 

An  interpretation  I  =  (A,s 0)  for  PTL  consists  of  a  structure  >1  and  an  initial  state  «o  G  S. 
We  will  say  that  an  interpretation  I  =  {A,sq)  satisfies  a  formula  /  iff  (A,s0)  /•  Since  an 
interpretation  1  uniquely  determines  a  sequence 

a  =  .s0,  N(»a),  N2(s0),  A^3(.s0),  ... 

we  will  often  say  “the  sequence  o  satisfies  a  formula”  instead  of  “the  interpretation  I  satisfies  a 
formula”. 

Note:  The  temporal  operators  we  have  defined  differ  from  those  in  [GPSS80]  in  the  following  way: 

•  They  are  reflexive.  That  is,  a  state  is  included  in  its  own  sequence  of  successors. 

•  The  Until  operator  does  not  have  an  “eventuality  component”.  That  is,  according  to  our 
definitions,  ft  U  /2  docs  not  imply  <>/2. 

Our  purpose  in  using  PTL  is  to  describe  processes  by  specifying  their  allowable  sequences  of 
I/O  operations.  To  do  this,  we  consider  PTL  formulas  where  the  atomic  propositions  stand  for  I/O 
operations.  And,  to  reflect  the  fact  that  we  are  looking  at  sequences  where  only  one  I/O  operation 
occurs  at  a  time,  we  systematically  add  to  our  specifications  for  each  process  the  following  single 
event  condition: 

□((  V  p*)  A  (  A  “’(PiApy)))  (3.1) 

1  < « <  n  1  <  i  <  j  <  «* 

where  pi,...,pn  are  all  the  atomic  propositions  (I/O  operations)  appearing  in  the  specifications  of 
that  process.  In  other  words,  a  state  of  our  temporal  logic  corresponds  to  the  execution  of  exactly 
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one  I/O  operation  (the  atomic  proposition  true  in  that  state)  and  the  “next”  state  corresponds  to 
the  execution  of  the  next  I/O  operation. 

Example: 

For  a  process  P  that  sends  signals  and  e?  to  a  process  S, 

S\si 

specifies  that  all  its  sequences  of  I/O  operations  start  with  S\s\.  And, 

□(S!s,  3  OS!s2) 

specifies  that  S!si  is  always  immediately  followed  by  5!s2,  with  no  other  I/O  operation  being 
performed  by  P  in  between. 


4.  Examples  of  Specifications 

Let  us  first  recall  that  when  we  give  the  specifications  for  a  synchronization  problem,  we 
independently  give  the  specifications  for  each  of  the  processes  involved  (the  synchronizer  S  and 
synchronized  processes  l\).  That  means  that  for  each  process  we  give  a  PTL  formula  that,  in 
conjunction  with  the  single  event  condition  (3.1),  has  to  be  satisfied  by  the  sequences  of  I/O 
operations  executed  by  that  process.  Thus,  for  instance,  O  means  “next”  in  the  particular  process 
we  are  specifying. 

Example  1:  Mutual  Exclusion 

Suppose  we  have  two  processes,  P|  and  P^,  that  communicate  with  a  synchronizer  S.  The 
signals  sent  to  the  synchronizer  by  l\[i  —  1,2)  are  S!bcgin<  (begin  critical  section)  and  S\cnd{  (end 
critical  section).  The  synchronizer  should  ensure  that  processes  l\  and  Pa  arc  never  simultaneously 
in  their  respective  critical  sections  that  start  with  Slbcgini  and  end  with  Slendi .  What  the  specifi¬ 
cations  for  a  process  l\  should  say  is  that  Pi  alternately  sends  begins  and  end,  signals,  starting 
with  a  begim.  This  is  expressed  by  the  conjunction  of  the  following  formulas: 

S!  begins 

(the  first  signal  sent  is  begin  critical  section) 

□(5!6egini  D  O  Stendi) 

(after  a  begin  critical  section  signal,  the  next  signal  sent  is  end  critical  section) 

□(A'lcnd,  3  O  S\begini) 

(after  an  end  critical  section  signal,  the  next  signal  sent  is  begin  critical  section). 


6 


The  specifications  for  the  synchronizer  are: 

D(Pl?beginl  D  ((~>P2?begin2)  U(l\?end\))) 

(after  letting  l\  proceed  into  its  critical  section  by  accepting  a  begin i  signal,  do  not  let  / \  enter 
its  own  critical  section  until  P\  has  finished) 

0(P2?begin2  O  ((->/,i?6cgtni)  U (Pi? end-}))) 

(after  letting  P2  proceed  into  its  critical  section  by  accepting  a  begins  signal,  do  not  let  P\  enter 
its  own  critical  section  until  P2  has  finished). 

One  would  expect  that  it  is  also  necessary  to  specify  absence  of  starvation: 

□(O  P{?begin[  V  O  Pi?endi) 

(do  not  neglect  /'t  indefinitely) 

□(O  P2?begin2  V  O  l\?end2) 

(do  not  neglect  P2  indefinitely).  But  as  we  will  see  later,  in  section  6,  we  do  not  have  to  write 
these  conditions  explicitly  since  they  will  always  be  systematically  introduced  during  the  synthesis. 


Example  2:  Dining  Dhilosophcrs 

We  specify  the  classical  dining  philosophers  problem  for  three  philosophers.  Three  philosophers 
are  sitting  at  a  round  table  in  a  Chinese  restaurant  alternatively  thinking  and  eating.  Between 
two  philosophers  there  is  only  one  chop  stick  and  a  philosopher  needs  to  pick  up  both  the  chop 
stick  at  his  left  and  the  one  at  his  right  before  he  can  eat. 
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The  problem  is  to  synchronize  the  eating  of  the  philosophers.  We  have  a  process  Pt  per  philosopher 
and  a  synchronizer  (or  “chop  sticks”  process)  S.  ftach  philosopher  l\  communicates  with  the 
synchronizer  S  by  four  operations: 


S]pickl 

S!ptc*<0, 


pick  up  chop  stick  i 
pick  up  chop  stick  t  ©  i 
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S'.put.Q, 

Slputi 


put  down  chop  stick  i  ©  1 
put  down  chop  stick  t 


(©  designates  addition  modulo  3;  we  will  also  use  ©  for  subtraction  modulo  3). 
The  specifications  for  each  philosopher  I\,  i  =  1,2,3  are: 


Slpicki 

(the  first  signal  sent  is  pick,) 

□(Slpfcfc,  D  O  S!pi'cfci0|) 

□(Slpicfc.0,  D  OS'.puti® i) 

□(S!pu<,0i  D  O  S'.puti) 

□(  S\put-i  D  O  S\picki) 

Again,  these  specifications  say  that  each  philosopher  repeatedly  picks  up  one  chop  stick,  picks  up 
the  second,  puts  the  second  chop  stick  down  and  puts  the  first  chop  stick  down. 

The  specifications  for  the  synchronizer  arc 


D(iypicki  3  (H>ei?;«cfc,)  U[l\’jmti))) 
a(l\?picklQ I  3  ((-'/,<©i?p*Vfc<0i)  f/(/’?p«t,0 ,))) 

for  i  =  1,2,3.  These  essentially  say  that  a  chop  stick  cannot  be  picked  up  by  two  philosophers 
simultaneously. 

5.  Overview  of  the  Synthesis 

As  described  in  Section  3,  when  we  specify  a  system  of  processes,  we  specify  each  of  the 
processes  involved  separately.  This  makes  the  specification  task  much  easier.  However,  to  deal 
with  some  properties  of  the  system  like  absence  of  deadlock  or  starvation,  we  have  to  look  at  the 
combination  of  the  specifications  of  all  the  processes  involved.  Hut,  as  the  specifications  refer  to  the 
sequence  of  I/O  operations  of  each  process  separately,  we  first  have  to  modify  these  specifications 
so  that  they  refer  to  the  global  sequence  of  I/O  operations,  that  is  the  merge  of  the  sequences  of 
I/O  operations  of  the  individual  processes. 

Thus,  the  first  step  of  our  synthesis  is  the  relativizatton  procedure  that  takes  the  specifications 
of  each  process  (the  local  specifications)  and  transforms  them  into  specifications  for  the  global 
system  of  processes  (the  global  specifications).  After  the  relativization,  we  proceed  to  do  the 
synthesis  with  the  global  specifications  of  the  system  of  processes. 
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The  second  step  is  then  to  apply  a  tableau-like  satisfiability  algorithm  for  1’TL  to  these  global 
specifications.  The  tableau  decision  procedure  we  use  is  essentially  the  one  described  in  [HMP81] 
restricted  to  linear  time  and  modified  to  use  our  assumption  that  exactly  one  atomic  proposition 
is  true  in  each  state. 

The  decision  procedure  can  have  two  possible  outcomes:  either  it  declares  that  the  specifi¬ 
cations  are  unsatisliable  and  in  that  case  it  means  that  there  is  no  program  that  can  satisfy  the 
synchronization  problem  as  specified.  Or,  it  produces  a  model  graph  from  which  all  possible  models 
of  the  specifications  can  be  extracted. 

This  model  graph  could  almost  be  transformed  into  the  programs  we  are  synthesizing  except 
for  the  fact  that  there  could  be  some  paths  in  the  graph  that  never  satisfy  some  eventualities 
(properties  of  the  form  O  /).  In  other  words,  though  all  models  of  the  specifications  can  be 
generated  from  that  graph,  not  all  paths  generated  by  the  graph  are  models  of  the  specifications. 
Our  next  step  will  thus  be  to  unwind  the  graph  to  obtain  an  actual  model  of  the  specifications. 
Unfortunately,  this  unwinding  usually  gives  a  graph  that,  though  it  generates  only  models  of  the 
specifications,  generates  only  one  or  a  few  of  the  possible  models.  In  programming  terms,  this  means 
that  our  processes  will  be  restricted  to  only  a  few  of  the  possible  execution  sequences  satisfying 
the  specifications,  which  clearly  is  undesirable. 

In  the  special  case  where  the  eventualities  are  "non  temporal”  (t.e.,  of  the  form  O/  where 
/  does  not  contain  temporal  operators)  we  are  able  to  avoid  unwinding  by  relying  on  our  fairness 
hypothesis  on  the  execution  of  C'Sl*  programs.  We  then  synthesize  our  programs  from  a  model 
graph  that  not  only  generates  only  models  of  the  specifications  (given  the  fairness  hypothesis)  but 
also  can  generate  all  possible  models. 

The  final  step  in  the  synthesis  will  be  to  extract  the  processes  from  the  model  graph.  This  is 
rather  straightforward  as  the  model  graph  itself  can  be  viewed  as  the  synchronizer  process  and  the 
other  processes  can  be  obtained  as  restrictions  of  that  graph. 

In  summary,  the  steps  of  our  synthesis  will  be 

1)  relafivize  the  specifications  (to  obtain  the  global  specifications). 

2)  apply  the  satisfiability  algorithm  (to  obtain  the  model  graph). 

.'I)  unwind  if  necessary  (to  satisfy  eventualities). 

4)  generate  the  individual  processes. 


6.  Relativization 

Our  purpose  here  is  to  take  the  local  specifications  of  the  processes  and  transform  them  into 
global  specifications  for  the  sequence  of  I/O  operations  executed  by  the  whole  system  of  processes. 
At  first  glance  it  might  seem  that  the  global  specifications  would  simply  be  the  conjunction  of  the 
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specifications  of  all  the  processes  involved.  However  before  taking  that  conjunction  there  are  three 
problems  that  have  to  be  dealt  with: 

(1)  At  the  global  level,  the  sending  and  receiving  of  a  given  message  is  a  single  action.  Thus, 

we  have  to  make  explicit  the  correspondence  between  pairs  of  matching  I/O  operations; 
that  is,  pairs  of  operations  consisting  of  an  output  operation  that  sends  a  given  message 
( e.g .  S!s  appearing  in  /*,)  ami  the  corresponding  operation  that  receives  that  message(e.g. 

/’,?.s  appearing  in  5). 

(2)  The  local  specifications  for  a  process  describe  its  sequence  of  I/O  operations.  Hut,  that 
sequence  is  only  a  subsequence  of  the  global  sequence  of  I/O  operations.  The  local  specifica¬ 
tions  have  to  be  modified  to  reflect  this  fact.  Note:  we  are  reasoning  under  our  assumption 
that  only  one  I/O  operation  happens  at  a  time  (locally  and  globally). 

(3)  The  subsequence  of  the  global  sequence  corresponding  to  each  process  is  infinite.  This  has 

to  be  made  explicit  in  the  global  specifications. 

These  considerations  lead  us  to  the  following  three  steps  of  our  relativization  procedure. 

(1)  Rename  matching  I/O  operations  to  a  unique  new  appellation.  For  example  we  would,  in 
our  proceeding  example,  rename  S\be<jin t  and  l\'?bctjin\  to  bcgint. 

(2)  Define  inl\  to  be  p\  V  ...  V  pn  where  p i,  ... ,  pn  are  the  I/O  operations  appearing  in  /\. 

Then,  to  refelcct  tfie  fact  that  the  specifications  for  /',  concern  a  subsequence  of  the  global 
sequence,  we  transform  these  specifications  using  the  two  following  rules: 

p  —*  (— «i nl\  U  p)  (6.1) 

where  p  is  an  atomic  proposition,  and 

O  /  -►  (-linl’i  U(inl\  A  Of))  (6.2) 

That  is,  the  right-hand  side  of  (6.1)  is  substituted  for  all  the  atomic  propositions  in  the 
specifications  of  and  the  right-hand  side  of  (6.2)  for  all  occurences  of  O.  Note:  in 
our  specific  framework,  all  I/O  operations  occur  between  the  synchronizer  5  and  some 
other  process  /’,.  Thus  for  the  synchronizer  inS  =  true  and  its  specifications  need  not  be 
modified. 

(3)  For  each  process  !\  we  add  the  following  infinite  subsequence  requirement. 

□  0(inl\)  (6.3) 

That  is,  some  operation  of  process  f',  has  to  occur  infinitely  often  in  the  global  sequence. 

The  global  specifications  are  then  the  conjunction  <>r  the  specification  for  the  synchronizer, 
the  specification  for  the  processes  l\  modified  using  (6.1)  and  (6.2)  and  the  requirements  (6.3). 
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The  only  non-trivial  step  is  step  (2).  Let  us  call  the  local  specifications  for  a  process  P, 
transformed  by  using  rules  ((i.l)  and  (6.2)  the  modified  specifications  for  We  have  the  following 
result: 

Proposition  6.1:  A  sequence  satisfies  the  modified  specifications  for  I\  if  and  only  if  its  subsequence 
consisting  of  all  the  I/O  operations  of  Pt  satisfies  the  original  specifications  for  l\. 

'flic  proposition  can  be  easily  proved  by  induction  on  the  structure  of  the  specifications  for  l\. 

Before  we  give  an  example,  let  us  first  note  that  for  a  formula  relative  to  a  process  Px  that  is 
of  the  form 

□(p  DO  q) 

!  (t.e.,  if  p  then  q  in  the  next  state)  the  relativized  version  is 

□((  ->inf\  U  p)  D  (-iinP,  U(inl\  A  O (~<inPi  U  </)))) 

This  can  be  simplified,  using  PTL  equivalences  to 

i 

□  (p  D  O (~yin Pi  U  i?)) 

(i.e.,  if  p  then,  from  the  next  state  on,  we  are  not  in  Pi  until  q). 

Example:  Mutual  exclusion  problem 

Let  us  recall  that  the  specifications  for  the  mutual  exclusion  problem  arc: 

For  the  processes  Pi,  i  =  1,2: 

S\bcgint 

d(S\brginl  D  O  Slendi) 

□(.S' lend,  D  O  S\ begin,) 

For  the  synchronizer  S: 

a(Pi?bcgin\  D  ((_,/’z? begin?)  (/(Pylendy))) 

C\[P??begin?  D  ((— > /,1  ?6c.'£3rtn i )  U(l\?cnd2))) 

Then,  if 

in/’i  =  beginy  V  end \ 


inP2  =  begin?  V  end?, 
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the  global  specifications  for  the  mutual  exclusion  problem  are: 

From  the  specifications  of  I\ : 

-itn/’i  U  begin  i 

□(begin i  3  0(^inP\  U  entii)) 

□(en^i  3  0(->in/'>i  U  begin [)) 

From  the  specifications  of  /V 
~>inP2  U  begins 

□(begins  3  0(_>m/>2  U  end2)) 

0(end>  3  0(~<inP2  U  begin?)} 


From  the  specifications  of  5: 

□(begin  [  3  -> begin?  U  end i) 

□(begirt  3  -> begin  \  U  end?) 


The  infinite  subsecpience  requirements: 

□  O  inf’i 

□  O  inP? 

Remark:  The  relativization  procedure  can  be  viewed  as  a  semantic  rule  for  the  execution  in  parallel 
of  communicating  processes.  Indeed,  if  we  view  the  meaning  of  a  communicating  process  as 
its  possible  sequences  of  I/O  operations  as  described  by  a  PTI,  formula,  then  the  rclativization 
procedure  gives  the  meaning  of  the  concurrent  execution  of  the  processes. 


7.  The  Satisfiability  Algorithm 

In  this  section  we  will  describe  the  tableau  method  we  use  to  test  for  satisfiability  and  construct 
a  model  of  the  global  specifications.  We  will  first  briefly  review  the  tableau  method  for  propositional 
calculus,  then  indicate  how  it  can  be  extended  to  handle  temporal  logic  and  finally  give  in  detail 
the  exact  algorithm  we  have  developed  for  our  specific  purpose. 

A  set  of  formulas  {/ ir •••>/»}  ls  satisfiable  if  there  is  an  interpretation  that  simultaneously 
satisfies  all  the  formulas  in  that  set.  The  tableau  method  for  propositional  calculus  is  based  on  the 
following  relations  between  satisfiability  of  sets  of  formulas: 

Tl:  A  set  of  formulas  {/i, . . ., /,,  A  /„,  ■ . ., /„}  is  satisfiable  if  and  only  iT  the  set  of  formulas 
{/i /i, f  /ia.  •■•»/« }  »»  satisfiable 
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T2:  A  sot  or  formulas  {/i A/,a /n}  is  satisfiable  if  and  only  if  the  sot  {/i, . . ->/,,, 
or  the  set  {/(l . . . /„}  is  satisfiable 

T3:  A  set  of  formulas  -i-> /, . /„}  is  satisfiable  if  and  only  if  the  set  {/i, 

is  satisfiable 

To  test  a  formula  /  for  satisfiability,  one  thus  starts  with  the  singleton  {/}  and  uses  rules 
T1  Til  to  decompose  /  into  sets  of  its  subforintilas.  If  the  decomposition  is  carried  on  until  the 
sets  contain  only  atomic  formulas  (atomic  propositions  or  their  negation),  satisfiability  can  easily 
be  decided.  Indeed,  a  set  of  atomic  formulas  is  satisfiable  if  and  only  if  it  does  not  contain  a 
proposition  and  its  negation.  This  procedure  actually  corresponds  to  transforming  the  formula  into 
disjunctive  normal  form.  An  extensive  study  of  tableau  methods  for  propositional  and  predicate 
calculus  appears  in  [S11168]. 

For  PTL  we  also  have  to  deal  with  the  temporal  operators.  This  can  be  done  with  the  following 
three  identities 


□  /  =  /  A  O  □  / 

(7.1) 

Of  =  /VOO/ 

(7.2) 

fiUh  =  /2V(/,  AO(/,(//2)) 

(7.3) 

Those  identities  will  enable  us  to  decompose  a  formula  into  sets  containing  atomic  formulas 
(atomic  propositions  and  their  negation)  and  l’Tb  O-formulas  (formulas  having  O  as  their  main 
connective).  The  achievement  of  such  a  decomposition  is  to  separate  the  requirements  expressed  by 
the  formula  into  a  requirement  on  the  “current  state”  (the  atomic  formulas)  and  into  a  requirement 
on  “the  rest  of  the  sequence”  (the  O-formulas).  One  then  rhecks  that  the  set  of  formulas  concerning 
the  “current  state”  is  satisfiable  and  then  repeats  the  whole  process  with  the  O-formulas,  after 
having  removed  their  outermost  O  operator,  in  other  words,  one  tests  for  satisfiability  by  trying 
l.o  build  a  model  state  by  state.  As  all  the  formulas  appearing  in  the  process  are  subformulas  of 
the  initial  formula,  one  will  eventually  reach  a  state  that  has  already  occurred,  thus  the  process 
terminates. 

There  is,  however,  at  that  point  one  more  step  to  do.  The  identity  (7.2)  allows  us  to  satisfy 
O  /  by  always  postponing  it  (O  O /).  Thus,  before  declaring  a  formula  satisfiable,  wc  have  to 
check  that  all  the  formulas  of  the  form  O  /  can  be  effectively  satisfied;  that  is,  that  there  is  a 
possible  future  state  in  which  /  is  true. 

bet  us  now  describe  our  algorithm  in  more  detail.  The  central  part  of  the  algorithm  is  the 
decomposition  procedure  that  separates  the  requirements  expressed  by  a  set  of  formulas  S  into 
requirements  on  the  “current  state”  and  on  the  “rest  of  the  sequence”.  In  that  procedure,  we  use 
our  assumption  that  exactly  one  atomic  proposition  is  true  in  each  state.  That  assumption  makes 
it  much  more  efficient  to  check  all  possible  assignments  of  truth  values  to  the  atomic  propositions  in 
the  current  state  (the  number  of  such  assignments  is  the  same  as  the  number  of  atomic  propositions 
in  the  language)  than  to  brutally  apply  the  decomposition  to  a  set  of  formulas  including  the 
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single  event  condition  (3.1).  Indeed,  the  latter  could  lead  to  examining  a  number  of  cases  that 
is  exponential  in  the  number  of  atomic  propositions,  but  that  would  eventualy  be  restricted  to  a 
linear  number. 

To  do  this,  we  decompose  the  set  of  formulas  .S'  separately  for  each  atomic  proposition  in  the 
language.  That  is,  Tor  each  proposition  p,  we  decompose  the  set  of  formulas  under  the  assumption 
that  p  is  true  and  the  other  atomic  propositions  false.  The  decomposition  procedure  thus  fakes  as 
inputs  a  set  of  PTI.  formulas  .S’  and  a  proposition  p.  It  outputs  a  set  Yp  of  sets  .S',  of  formulas  /,y , 
i.e.  Y,p  —  {S,}  where  each  S’,  =  {/,.,}.  lOach  formula  fx)  G  .S,-  either  is  a  O-formula  or  is  “marked”, 
i.e.  it  is  a  formula  that  already  has  been  used  in  the  decomposition  and  is  only  kept  for  reference. 
Under  the  assumption  that  p  is  true,  the  original  set  of  formulas  .S’  is  safisfiable  if  and  only  if,  for 
some  i,  all  the  unmarked  formulas  in  .S’,  are  satisliable.  In  other  words,  the  O-formulas  in  each  set 
.S,  give  one  of  the  possible  requirements  on  the  “rest  of  the  sequence”  if  p  is  the  proposition  true 
in  the  current  state. 

The  decomposition  procedure  initializes  Ep  with  the  set  of  sets  of  formulas  {.S’}  and  then 
repeatedly  transforms  it  until  all  the  elements  S’,  of  Yp  contain  only  marked  formulas  or  O-formulas. 
It  is  the  following: 

(1)  (Initialize):  start  with  Y.p  —  {S’}. 

(2)  (ICxpand):  repeat  steps  (3)  (5)  until  for  all  S,  G  Yp,  all  the  formulas  fx]  G  S',  are  marked 
formulas  or  O-formulas. 

(3)  Pick  a  formula  fa  e  ^  €  L’p  th  at  is  not  marked  and  not  a  O-formula. 

(  l)(Simplify):  In  the  formula  fXJ ,  replace  all  the  occurrences  of  p  that  are  not  in  the  scope  of 
a  temporal  operator  by  true  and  all  similar  occurrences  of  the  other  atomic  propositions 
by  false.  Perform  boolean  simplification.  This  yields  a  formula  f'X},  called  "fXJ  simplified 
for  p”. 

(5)  (a)  if  /J  •  =  true  replace  S’,  by  Si  —  {fx]}.  Civen  that  p  is  true,  /,y  is  identically  true  and 
can  thus  be  removed  from  Sx. 

(b)  if  /(• .  =  false  replace  Yp  by  Yp  -  {S’,}.  In  this  case,  fXJ  is  Talse  and  the  set  S,  is 
unsatisfiable.  It  can  thus  be  removed. 

(c)  if  f'ij  is  a  O-formula,  replace  S,  by  (S,  —  {fx]})  U  {/(,}•  As  we  have  obtained  a 

O-formula,  no  more  decomposition  is  necessary. 

(‘I)  if  f'i,  is  of  type  a  (see  table  below),  replace  S,  by 
(Si  ~  {/.,})  U  {f'ij*,  ai,rt2> 

where  /'y *  is  f'XJ  marked.  Since  a  formula  of  type  a  is  safisfiable  iff  both  «t  and 
<*2  ‘ire  safisfiable,  we  replace  fa  by  «i  and  r»2-  We  also  keep  a  record  of  /';  by 
marking  it. 
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(e)  if  f't]  is  of  type  0  (sec  table  below),  replace  S<  by  the  two  following  sets: 

(s,  -  {/.,})  u  {/:,  *,  0, },  (5,  -  {/«/})  U  02} 

where  f'tJ*  is  f[j  marked.  Since  a  formula  of  type  0  is  satisfiable  iff  either  0\  or 
02  arc  satisliable,  we  replace  by  two  sets:  one  containing  0\  and  one  containing 
02- 

The  formulas  of  type  a  and  0  arc  given  in  the  following  two  tables.  Notice  the  correspondence 
between  the  entries  in  the  tables  concerning  temporal  operators  and  the  identities  (7.1)  (7.3). 


a 

ftl 

Or  2 

fa  A  f-2 

/l 

fa 

—fa 

/l 

fa 

->  O/i 

O-/, 

o-v. 

□/. 

fa 

OOfa 

-(/■  V  ft) 

-'fa 

-fa  VOi/,  Ufa) 

->0  fl 

_1/l 

0-0  /, 

0 

fii  1 

02 

-(f\  A  fa] 

■’/l 

-'fa 

Ofa 

fa 

OOfi 

(fa  V  f-2) 

fa 

f\  A  0(1  \  Ufa) 

-□/l 

o-o/, 

Example:  Let  us  apply  the  decomposition  procedure  for  q  to  the  set  of  formulas 

S={n(9D-(pi/r))} 

D,  first  gets  initialized  to 

{{□(<?  3  hpUr))}} 

At  that  point,  the  only  formula  we  can  choose  in  step  (3)  is  □((/  3  (- pU  r)).  As  all  its  atomic 
propositions  occur  within  the  scope  of  a  temporal  opeartor  (□),  step  (4)  does  not  modify  it.  Step 
(5d)  splits  0(q  3  ( -<p  U  r))  into  q  3  (~  p  U  r)  and  OD(q  3  (->/>  U  r)),  therefore,  we  get 

V,=  {{q3(^pUr),  Oa(q3{ipUr)),  □(*  D  (-p  U  r)).}}. 
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Step  (3)  then  chooses  q  3  (~>p  U  r)  which  is  simplified  by  step  (4),  after  replacing  q  by  true,  to 
(~>p  U  r).  This  is  a  formula  of  type  f),  we  thus  split  the  set  that  contains  it  into  t  .vo  sets:  one 
containing  r  and  the  other  containing  ->p  A  O (~<p  U  r). 

=  {{»■,  {-•pUr)*,  OD(q  3  (~<pU  r)),  □(</  3  (-’P  U  r))*}, 

{-•p  A  0(-ip  U  r),  (-i  pUr)*,  O  D{q  3  (->p  U  r)),  D(q  3  (->p  U  r))*}}. 

Then,  as  r  simplified  for  q  is  false,  by  (5b)  the  first  set  is  removed  and  we  get 

E,  =  {{->P  A  0(~>pUr),  (~>p  U  r)*,  O  □(</  3  (->p  U  r)),  D(q  3  [-<p  U  r))*}} . 

And,  finally,  as  ->p  A  0(->p  U  r)  simplified  for  q  is  0(->p  U  r)  (p  is  replaced  by  false),  we  gel  by 
(5c) 


a,  =  {{O(-pCfr),  (->p  U  r)*,  O  □(</  D  (->p  U  r)),  D(q  3  (-.p  V  r))*}}. 
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We  can  now  proceed  to  describe  the  satisfiability  algorithm.  This  algorithm  uses  the  decom¬ 
position  procedure  to  build  a  model  graph  that  is  a  search  lor  all  potential  models  of  the  formula. 
From  that  graph,  we  will  be  able  to  decide  satisfiability  and  to  construct  a  model.  Kach  node 
and  edge  in  the  graph  is  labeled  with  a  set  of  I'oniuihis.  The  sets  of  formulas  labeling  an  edge 
always  contain  exactly  one  of  the  atomic  propositions  of  the  language.  The  edges  of  the  graph  will 
correspond  to  the  “states”  or  the  interpretation  of  I’TI,. 

The  graph  is  constructed  as  follows: 

(1)  Start  with  a  graph  containing  just  one  node  labeled  by  a  set  S  containing  the  formulas  /, 

to  be  tested  (the  initial  formulas), i.e.  S  —  {/*}• 

(2)  Repeatedly  apply  step  (3)  to  the  nodes  of  the  graph  until  it  has  been  applied  to  all  nodes. 

(3)  For  every  atomic  proposition  p  in  the  language: 

(a)  Apply  the  decomposition  procedure  for  p  to  the  set  S  of  formulas  labeling  the 
current  node. 

(b)  For  each  set  S,  in  the  set  Yp  generated  by  the  decomposition  procedure,  create 
an  edge  labeled  by  {p}  U  »V,  leading  to  a  node  labeled  by  the  sel.  of  all  formulas 
/  such  that  O  /  E  S,  or  to  a  node  that  can  be  determined  to  be  labeled  by  an 
equivalent  set  of  formulas.  If  there  is  no  such  node,  create  one. 

Example  1:  For  the  formula 

fo  =  □(<?  3  (-T  U  r)), 

the  graph  is: 
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D(end?  3  0(->mP2  U  begin?)) 

□  (fcc^ini  D  -i 'begin ?  U  endy) 
D(bcgin?  3  -\begim  U  end?) 


□  O  inf*, 


□  O  in  l\ 


The  graph  the  satisfiability  algorithm  yields  for  these  specifications  is  then: 


,«i){(7.4),...,(7.13)} 


begin  \ , 

(7.4)*,... ,(7.13)*, 

(-'begin?  U  end f)*, 
Oinl\*,  O  ini’?*, 

0(7.5) . 0(7. 13), 

0(->m/,|  l J  endy), 
0(->beyin2  U  end\), 

O  O  in  l\ 

(7-5) . (7.13),  , 

(~iinl\  U  end i),  f 

(-’begin?  U  rnd\ ), 

O  in  I1?  1 


begin?, 

(7.4)*,  ...,(7.13)*, 

( -'begin \  U  end?)*, 

Otn/Vi  O  ini?*, 

0(7.4),... ,0(7.6),  0(7.8),... ,0 

O (-'in I*?  U  end?), 

0(-<bc,yin\  U  end?), 

O  O  ini* i 

r(7.4) . (7.6),  (7.8), 

V  J  (—'ini *?  U  end?), 

W  |(->6e<7mi  U  end?), 

J  lom/'j 


end  i 

(7-5)* . (7.13)*, 

Oiri/,|*,  O  in !*?* , 
(-'inf* i  U  endy)*, 
(-'begin?  U  end |)*, 
0(7.4), ...,0(7.13), 
.OOin/’j 


end 2, 

(7.4)* . (7.6)*,  (7.8)*,. 

Om/’i*,  O  in l *?*, 

( —’in I*?  U  end?)*, 

(-'begin i  U  end?)*, 

0(7.4) . 0(7.13), 

.O  O  m/», 


Note  that  the  end i  edge  from  n2  is  supposed  to  lead  to  a  node  labeled  by 


{(7.4),..., (7.13),  OinP?). 


Hut,  as  (7.13)  is  □  O  inl\  and  asDOp  =  DOpAOp,  this  set  is  equivalent  to 
{(7.4),...,  (7.13)} 

and  the  edge  can  lead  to  n |.  Similarly,  the  cnd2  edge  from  nj  also  leads  to  «!•  | 

It  is  straightforward  to  give  an  upper  bound  on  the  size  of  the  graph.  The  number  of  nodes 
in  the  graph  is  at  most  ‘l4c+2  where  c  is  the  number  of  temporal  operators  in  the  formula  to  be 
tested.  Indeed,  given  the  a  and  (3  rules,  the  formulas  appearing  in  a  node  are  either  the  initial 
formula,  a  subformula  of  the  initial  formula  with  a  temporal  operator  as  its  main  connective  (there 
are  exactly  c  such  formulas),  a  subformula  of  the  initial  formula  appearing  in  the  immediate  scope 
of  a  O  operator  (there  are  at  most  e  such  formulas)  or  the  negation  of  any  of  the  above.  There 
arc  clearly  at  most  4c  +  2  such  formulas  and  as  each  node  is  characterized  by  a  subset  of  these 
formulas,  a  bound  on  the  number  of  distinct  nodes  is  2‘u+2. 

The  last  step  of  satisfiability  algorithm  is  to  check  that  all  the  nodes  are  satisfiablc  and  that 
all  eventualities  can  effectively  be  realized.  For  this,  we  apply  the  following  nodes  and  edges 
elimination  procedure: 

Repeatedly  apply  the  following  two  rules  until  no  longer  possible. 

(1)  If  a  node  has  no  edge  leaving  it,  eliminate  that  node  and  all  edges  leading  to  it. 

(2)  If  an  edge  contains  an  eventuality  formula,  that  is  a  formula  of  the  form 

O/i,  -'□-’/i  or  -‘(~'f\Uf2) 

then,  delete  that  edge  if  there  is  no  path  from  that  edge  leading  to  an  edge 
containing  {p,  f\}  for  some  atomic  proposition  p  in  the  language,  where  f\  is  /  j 
simplified  for  p. 

Note:  In  the  proceeding  examples,  no  elimination  is  necessary. 

We  have  the  following  result: 

Proposition  7.1:  The  initial  formula,  in  conjunction  with  the  single  event  condition  (3.1),  is 
satisliable  if  and  only  if  the  result  of  the  elimination  process  is  not  the  empty  graph. 

We  will  not  give  here  a  proof  of  this  result  as  such  a  proof  would  follow  very  closely  the  one 
presented  in  (HMI’81)  for  a  branching  time  I’TI,  and  in  [Wo8l]  for  an  extension  to  I’TL. 


8.  Eventualities  and  Unwinding 

If  the  specifications  are  satisfiablc,  the  decision  procedure  described  in  the  previous  section 
has  provided  us  with  a  non-empty  graph.  This  graph  describes  the  models  of  the  specifications  in 
the  sense  that  every  sequence  that  is  a  model  is  a  path  in  the  graph  and  that  every  finite  path 
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obtained  from  the  graph  is  the  prefix  of  some  model.  This  latter  property  simply  follows  from 
the  fact  that  the  decision  procedure  ensures  that  the  sets  of  formulas  associated  with  each  edge  or 
node  of  the  graph  are  indeed  satisliablc.  Unfortunately,  it  is  not  always  the  case  that  all  infinite 
paths  obtainable  from  the  graph  satisfy  the  specifications.  Indeed,  some  of  these  paths  could  leave 
some  eventuality  formula  unsatisfied.  However,  it  is  always  possible  to  modify  the  graph  so  that 
every  infinite  path  satisfies  the  specifications. 

The  construction  basically  proceeds  by  unwinding  the  graph  up  to  states  where  the  eventualities 
are  actually  realized.  The  new  graph  is  finite  and  can  be  used  to  generate  the  program  we  arc 
trying  to  synthesize.  This  unwinding  has  the  disadvantage  that  it  forces  the  processes  to  execute 
one  specific  path  among  all  those  that  satisfy  the  specifications;  clearly,  this  can  lead  to  undesirable 
inefficiencies. 

Example:  If  the  specifications  are 

□  On  A  □<>  6,  (8.1) 

the  unwinding  algorithm  could,  for  instance,  g'u«'  the  sequence  a,b,n,b,a,b,  ...  as  a  model.  In 
other  words  it  would  require  that  in  order  to  satisfy  (8.f)  we  alternatively  execute  a  and  b.  This  is 
correct  hut  could  be  unacceptable  in  a  situatic  n  whole  a  can  be  repeated  substantially  faster  than 
b.  | 

In  the  next  section,  we  will  see  that  under  some  conditions,  the  unwinding  can  be  avoided.  In 
the  meantime,  let  us  examine  the  unwinding  procedure  we  use. 

Given  a  graph  (7  —  (N ,  1C)  with  nodes  N  and  edges  1C,  produced  by  the  satisfiability  algorithm, 
we  build  a  new  graph  C7‘  —  ( N',lC )  as  follows. 

(1)  Initially  (!'  consists  of  a  set  N'0  =  N  of  nodes.  We  will  call  N'0  the  initial  nodes. 

(2)  For  each  node  n'0  6  N'0  do  the  following: 

(a)  Select  an  edge  e  £  1C  leaving  the  node  n  £  N  corresponding  to  n'0. 

(b)  Build  a  path  starting  with  c'Q  =  e.  such  that  all  eventualities  in  c{,  are  satisfied  on 
that  path.  Given  the  fact  that  in  the  decision  procedure  we  have  eliminated  all 
edges  containing  eventualities  that  could  not  be  satisfied,  we  arc  guaranteed  that 
such  a  path  always  exists. 

(c)  Let  e'j  bo  the  last  edge  in  the  path  built  in  (b).  If  the  corresponding  edge  Cf  £  1C 
leads  to  a  node  n  £  N  then  connect  Cy  to  the  corresponding  n{,  £  /V(,. 

The  result  of  the  construction  is  a  structure  that  satisfies  the  specifications. 

Example : 

For  the  mutual  exclusion  problem  we  specified  earlier,  the  graph  (7  we  obtained  from  the 
decision  procedure  is  of  the  form: 
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For  the  sake  of  simplicity  we  have  only  annoted  the  edges  with  atomic  propositions  and 
eventuality  properties.  If  we  apply  the  unwinding  algorithm  to  this  graph,  we  get  the  following 
graph  C  where  N'0  =  {n'j,  n'2,  rij}: 


To  build  the  path  starting  from  n\,  we  select  the  begin y  edge  leaving  nt  in  C.  This  edge 
contains  two  eventualities:  O  inf’y  and  O  inl\.  A  path  that  satisfies  both  these  eventualities  is 


ns  be  gin  i  satisfies  Otn/’j  and  begin2  satisfies  O  inl\.  We  thus  incorparate  this  path  into  (V  and 
connect  its  last  edge  to  rig.  | 


9.  Dynamic  Satisfiability 

As  we  pointed  out  in  the  last  section,  unwinding  can  lead  to  very  inefficient  programs.  What  we 
would  really  like  is  to  be  able  to  avoid  the  unwinding  and  decide  dynamically,  during  the  execution, 
which  path  through  the  graph  we  are  going  to  take,  but  still  do  this  in  a  way  that  satisfies  the 
eventualities. 

This  is  possible  when  the  following  three  conditions  are  satisfied. 
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(1)  the  CSP  program  generated  is  executed  fairly;  that  is,  if  a  communication  is  id  finitely 
often  possible  it  is  eventually  executed. 

(2)  all  eventualities  are  non-temporal,  i.e.  in  all  eventuality  formulas 


O/t,  i  or  U  /2) 

labeling  edges,  /t  does  not  contain  any  temporal  operators. 

(3)  The  graph  satisfies  the  following  dynamic  satisfiability  criterion. 

Dynamic  Satisfiability  Criterion: 

Let  us  denote  by  II,  the  set  of  atomic  propositions  corresponding  to  the  I/O  operations 
performed  between  the  scheduler  .S’  and  a  process  /’,.  A  model  graph  is  said  to  satisfy  tin;  dynamic 
satisfiability  criterion  if  for  each  edge  containing  an  eventuality  formula  of  the  form 

O/i,  -•□-■/i  or  ->(-> fiUfii ) 

(where  J\  is  non-temporal)  all  maximum  acyclic  paths  starting  from  that  edge  either 

(1)  contain  an  edge  labeled  by  a  proposition  p  that  satisfies  f\ 

or 

(2)  contain  a  node  that  has  an  outgoing  edge  labeled  by  a  proposition  p  £  II.  satisfying 
/ 1,  provided  that  either 

(a)  the  edge  leaving  that  node  and  included  in  the  path  is  labeled  by  an  atomic 
proposition  q  €  II,,  i.e.  an  atomic  proposition  representing  an  I/O  operation 
performed  by  the  same  process  l\  as  the  one  performing  p 

or 

(b)  No  atomic  proposition  q  labeling  an  edge  of  that  path  or  any  other  maximum 
acyclic  path  on  which  f\  has  to  be  satisfied  ami  conditions  (I)  or  (2a)  do  r>ot  hold 
is  in  II,. 

ISsscntially,  the  criterion  checks  that  on  ail  infinite  paths,  either  the  eventuality  is  realized  or  it 
is  infinitely  often  “possible”  and  thus  will  be  realized  due  to  the  fairness  assumption.  That  means 
that  any  “fair”  path  in  the  graph  is  a  model  of  the  specifications  and,  as  wo  will  see,  will  be  a 
potential  execution  sequence  of  the  synthesized  programs.  The  precise  justification  of  the  criterion 
involves  the  way  we  obtain  the  individual  processes  ami  the  assumptions  we  make  about  their 
execution.  We  will  discuss  these  issues  in  the  next  section  and  thus  postpone  our  proof  of  the 
criterion  until  then. 

Note:  In  the  mutual  exclusion  example  the  three  conditions  are  satisfied.  We  therefore  do  not  need 
to  unwind  that  graph.  | 
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10.  Generating  the  processes 


The  proccsse  we  generate  will  look  very  much  like  the  model  graphs  we  have  been  dealing  with 
in  the  preceeding  sections  If  one  takes  such  a  graph  and  eliminates  all  the  labeling  except  for 
the  I/O  operations  labeling  edges,  the  result  can  be  interpreted  as  a  CSl’-like  program.  Indeed, 
executing  such  a  program  is  traversing  the  graph  while  performing  the  I/O  operations  on  the  edges. 
A  node  with  several  outgoing  edges  is  viewed  as  a  guarded  command  that  has  as  guards  the  I/O 
operations  appearing  on  those  edges.  Thus,  according  to  the  definition  of  CSP,  when  such  a  node 
is  reached,  one  of  the  operations  that  is  enabled  (*.«.,  such  that  the  matching  process  is  also  ready 
to  execute  it)  is  chosen  and  the  corresponding  edge  is  followed. 

The  easiest  process  to  obtain  is  the  one  for  the  synchronizer  5.  As  we  explained  in  section 
2,  all  I/O  operations  arc  between  the  synchronizer  and  some  other  process  l\.  This  implies  that 
the  model  graph  we  have  obtained  from  the  global  specifications  can  be  taken  as  the  program  for 
the  synchronizer.  The  only  (trivial)  transformation  that  needs  to  be  done  is  to  rename  the  I/O 
operations  back  to  their  local  name  (e.g.,  bcgin\  becomes  l^lbcgin j). 

Each  of  the  other  processes  will  be  obtained  by  restricting  the  model  graph  to  the  I/O 
operations  of  that  process. 

For  a  model  graph  C  =  (N,  E)  and  a  process  l\,  we  thus  build  a  restricted  graph.  (7,  =  (/Vt,  /«,’,). 
Each  node  of  6\  (n,  £  /V,)  corresponds  to  sets  of  nodes  of  the  graph  (7.  For  a  node  n,,  we  denote  its 
corresponding  set  of  nodes  of  <7  as  Mn,  C  N.  If  the  I/O  operations  of  l\  are  II,  =  {pi,  .  . .  ,pn}, 
the  construction  proceeds  as  follows: 

(1)  Initially,  (7,  contains  one  node;  this  node  corresponds  to  an  initial  node  of  (7  and  all  nodes 

accessible  from  that  node  in  (7  through  a  path  containing  no  edge  labeled  by  a  proposition 
p€H<. 

(2)  Repeat  step  (3)  until  it  has  been  applied  to  all  nodes  in  (7,-. 

(3)  Select  an  unprocessed  node  nt-  £  Nt.  For  all  propositions  p£  11^  create  an  edge  from  to 

a  node  n(  £  tV,  such  that  the  set  is  the  set  of  all  nodes  accessible  in  (7  from  any  node 
in  through  a  path  containing  exactly  one  occurrence  of  p  and  no  occurrence  of  any 
other  member  of  Ilj  (we  call  such  a  path  a  p-path).  A  new  node  n'  is  created  only  when 
<7,  docs  not  already  contain  a  node  characterized  by  the  set  .  If  Mni  =  <f>  no  edge  is 
added. 

We  then  just  have  to  rename  the  I/O  operations  back  to  their  local  name  to  obtain  the  process 

Pi- 

Example'. 

For  the  mutual  exclusion  problem  specified  in  section  4,  the  program  for  S  is: 


I 
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and  for  the  process  Pi 


To  obtain  the  graph  for  f\,  we  start  with  the  set  of  nodes  in  the  model  graph  accessible  from 
ni  by  a  path  not  labeled  by  any  operation  of  process  P |.  This  set  is  {ti|,n3}  .  The  only  node 
accessible  from  either  ri|  or  TI3  through  a  bryi'm-path  is  n2.  Thus  we  have  a  path  labeled  by  bcgin\ 
leading  to  a  node  labeled  by  {712}.  There  are  no  nodes  accessible  I'roin  either  ni  or  n:)  through  an 
end|-path,  thus  no  edge  labeled  by  end\  will  leave  the  node  {ni,n3}  of  the  graph  for  process  P\. 
The  edges  leaving  {n2}  are  constructed  similarly.  | 

We  view  the  execution  of  such  a  system  of  processes  as  it  is  defined  in  CSI\  That  is,  the 
processes  have  to  execute  matching  I/O  operations  simultaneously.  Note  that  even  though  our 
processes  consist  solely  of  I/O  operations,  we  do  not  assume  anything  about  the  relative  speed  of 
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their  execution.  This  means  that  after  a  process  executes  an  I/O  operation,  there  could  be  an 
arbitrary  finite  delay  before  it  is  ready  to  execute  the  following  one.  This  delay  could  for,  instance, 
correspond  to  the  execution  of  a  purely  sequential  piece  of  code. 

The  last  step  now  is  to  derive  actual  CSP  programs  from  the  graphs.  A  simple  way  to  do  this 
is  to  assign  a  number  to  each  node  of  the  graph  and  use  a  variable  N  to  keep  track  of  the  location 
in  the  graph.  The  program  is  then  just  one  repetitive  command  where  the  guards  arc  composed  of 
a  Lest  on  the  value  of  N  followed  by  an  I/O  operation,  and  where  the  bodies  are  just  an  updating 
of  iV. 

Example: 

For  the  synchronizer  S  in  the  mutual  exclusion  example,  the  CSP  program  is: 

*[  N  =  1 ;  P[  ? be gin  i  —*  N  :=  2 

OW  =  I;  Wbegin2  -*  IV  :=  3 
fl/V  =  2;  P|  ?enrfi  -♦  N  :=  l 

0/V  =  3;  l>2?enA2  -*•  Af  :=  l  J 

The  program  repeatedly  checks  at  which  location  in  the  graph  it  is,  then  waits  for  the 
corresponding  inputs  and  finally  updates  its  location  variable. 

For  the  process  l\,  the  program  is: 

*[  N  =  1;  S\begini  — »  /V  :=  2 

Dn  =  2;  S'.endi  -f  N  :=  1  | 

and  for  the  process  P2,  the  program  is: 

*[  N  =  1,  Slbegin 2  — ►  N  :=  2 

DAI  =  2;  S\end2  TV  :=  1  J 

In  these  programs  a  purely  sequential  piece  or  code  can  be  inserted  immediately  after  the 
updating  of  the  location  variable  N.  | 

From  the  way  the  processes  were  obtained,  it  is  clear  that  any  concurrent  execution  of  the 
system  of  processes  (more  precisely  the  sequence  of  I/O  operations  performed  during  the  execution) 
will  correspond  to  a  path  through  the  global  graph.  Thus  in  the  case  where  we  have  unwound  the 
graph,  the  synthesized  processes  satisfy  the  specifications.  However,  we  still  have  to  prove  that 
if  the  global  graph  satisfies  the  dynamic  satisfiability  criterion,  then  any  fair  execution  of  the 
extracted  program  will  satisfy  all  eventualities.  Recall  that  in  a  fair  execution  every  I/O  operation 
that  is  infinitely  often  possible  (both  sender  and  receiver  are  ready  to  perform  it)  will  eventually 
be  executed. 
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Proposition  9.1:  If  the  model  graph  satisfies  the  dynamic  satisfiability  criterion,  then  every  fair 
execution  of  the  extracted  programs  satisfies  the  specifications. 

Proof:  In  view  of  the  proceeding  remarks,  it  is  sullicient  to  show  that  all  eventualities  are  satisfied. 
Let  us  assume  that  there  is  some  eventuality  formula  (O  /)  that  is  not  satisfied  for  some  fair 
computation.  We  will  show  that  some  operation  that  realizes  the  eventuality  (satisfies  f)  is  infinitely 
often  possible  during  that  computation.  Hence,  due  to  our  fairness  assumption  that  operation 
will  he  executed,  and  we  have  a  contradiction.  Actually,  all  we  need  to  show  is  that  for  such  a 
computation,  some  operation  satisfying  the  event  uality  will  be  possible  in  a  finite  number  of  steps. 
Indeed,  the  .same  argument  ran  then  inductively  be  applied  to  the  computation  starting  aft.er  the 
point  where  the  operation  was  possible.  And,  as  we  only  have  a  finite  number  of  possible  1/0 
operations,  one  of  those  satisfying  /  will  he  infinitely  often  possible. 

Let  us  consider  the  path  through  the  global  graph  corresponding  to  our  computation,  (dearly, 
no  operation  p  satisfying  /  appears  on  that  path.  Thus  either  condition  (2a)  or  (2b)  of  the  dynamic 
satisfiability  criterion  is  satisfied  on  every  maximal  acyclic  part  of  the  path. 

(1)  If  condition  (2a)  is  satisfied  somewhere  on  the  path  we  have  a  node  on  the  path 
that,  has  an  outgoing  edge  labeled  by  an  operation  p  satisfying  /.  Thus,  at  that 
point  the  synchronizer  .S'  is  ready  to  perform  p.  As  the  operation  on  the  path  is 
in  the  same  process  l\  as  p,  that  process  must  also  be  ready  to  perforin  p.  Thus 
p  is  possible. 

(2)  If  condition  (2a)  is  never  satisfied,  then  (2b)  has  to  be  satisfied  on  every  maximum 
acyclic  part  of  the  path.  Thus  some  operation  p  will  repeatedly  appear  as  an 
alternative  branch  on  the  path.  As  no  operation  in  the  process  /’,  containing 
p  appears  on  the  path,  when  /’,  becomes  ready  to  execute  p  it  will  remain  in 
that  state.  Then,  when  the  synchronizer  reaches  the  next  node  where  p  is  an 
alternative,  p  will  be  possible.  | 


12.  Conclusions  and  Comparison  with  Other  Work 

We  have  shown  how  the  “synchronization  part”  of  processes  could  be  specified  and  synthesized. 
The  main  techniques  we  have  used  are: 

(1)  abstracting  concurrent  computations  to  sequences  of  “events"  (in  our  case  1/0 
operations) 

(2)  describing  these  sequences  using  Propositional  Temporal  Logic 

(3)  using  the  tableau  decision  procedure  for  PTL  to  synthesize  the  processes. 

Clearly  there  are  some  limitations  to  our  approach.  The  most  fundamental  one  is  that  the 
synthesized  processes  are  intrinsically  finite  state.  However,  this  does  not  exclude  practical  use 
of  the  method  since  many  synchronization  problems  have  finite  state  solutions.  Celling  rid  of 
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this  limitnlion  would  most  likely  eliminate  the  decidability  property  of  our  specification  language. 
We  would  then  no  longer  be  able  to  guarantee  a  correct  solution  to  the  problem  whenever  the 
specifications  are  satisfiablc. 

The  PTL  we  have  used  in  this  paper,  though  it  has  been  called  expressively  complete  since  it 
is  as  expressive  as  the  first  order  theory  of  linear  order  [CPSS80]  cannot  describe  all  finite-state 
behaviors.  However,  an  extension  to  PTL  that  would  allow  the  description  of  all  such  behaviors  has 
been  recently  developed  [Wo8l],  Incorporating  it  in  our  specification  language  would  let  us  describe 
a  wider  class  of  synchronization  problems.  We  also  plan  to  apply  the  techniques  we  developed  here 
to  the  synthesis  of  network  protocols  and  sequential  digital  circuits. 

Among  related  work,  we  should  first  mention  that  Clarke  and  Emerson  [CE81]  have  been 
independently  investigating  the  use  of  similar  model  building  techniques  for  synchronization  code 
synthesis.  Their  approach  is,  however,  based  on  a  branching  time  temporal  logic  and  is  oriented 
towards  the  synthesis  of  shared  memory  programs. 

Earlier  work  on  the  synthesis  of  synchronization  code  includes  that  of  Griffiths  [Cr7.r>)  and 
llabermann  [Ila75].  Griffiths’  specification  language  is  rather  low-level  in  the  sense  that  it  is 
procedural  in  nature.  In  Ilabermann’s  “path  expressions”,  the  specification  language  is  regular 
expressions.  This  has  the  disadvantage  of  requiring  a  global  description  instead  of  a  collection 
of  independent  requirements,  as  in  PTL.  Also,  regular  expressions  cannot  describe  eventualities 
explicitly  and  in  [Ila75]  no  attention  is  given  to  the  problems  of  deadlock  and  starvation. 

Among  later  work  on  the  subject  one  finds  the  work  of  Laventhal  [La78],  and  the  one  of 
Ramamritham  and  Keller  [RK8I],  Here,  the  specification  .  iguage  is  quite  expresssive.  In  the 
former  approach  it  is  based  on  first-order  predicate  calculus  with  an  ordering  relation  and  in  the 
latter  on  Temporal  Logic.  However,  in  both  cases  the  synthesis  method  is  rather  informal  and  does 
not  rely  on  a  precise  underlying  theory. 
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